Bug 680196 - (CVE-2011-0465) CVE-2011-0465 xorg: xrdb code execution via crafted X client hostname
CVE-2011-0465 xorg: xrdb code execution via crafted X client hostname
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110405,reported=20110224,sou...
: Security
Depends On: 681589 681590 681591 681592 681593 833998
Blocks: 696310 696316 696317
  Show dependency treegraph
 
Reported: 2011-02-24 11:03 EST by Jan Lieskovsky
Modified: 2015-07-31 02:37 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 696310 696316 696317 (view as bug list)
Environment:
Last Closed: 2012-06-20 11:48:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-02-24 11:03:28 EST
It was found that xrdb, the X server resource database
utility, did not properly sanitize system host names,
containing shell escape characters, during launch of
user graphical session (when the display manager
retrieved the system host name from resource database
via xrdb). When the display manager was configured to
listen for X Display Manager Control Protocol (XDMCP)
messages, a remote attacker could use this flaw to
remotely execute arbitrary code with the privileges,
of the user running the display manager (usually
privileged system user, root). On systems, where the
XDMCP messages were disabled and the system was
configured to retrieve its host name from remote DHCP
server, a rogue DHCP server could use this flaw to
possibly execute arbitrary code with the privileges
of the user running the display manager (usually root)
via a specially-crafted host name assigned to the
victim host in question.

Note:
=====
  The display managers, shipped with Red Hat Enterprise
Linux 4, 5, and 6 do not listen for remote XDMCP messages
in the default configuration, which mitigates this security
flaw to be exploitable only by rogue remote DHCP servers.

  The display managers, shipped with Fedora release of 13
and 14 do not listen for remote XDMCP messages in the default
configuration, which mitigates this security flaw to be
exploitable only by rogue remote DHCP servers.
Comment 6 Murray McAllister 2011-04-05 19:12:57 EDT
Acknowledgements:

Red Hat would like to thank Matthieu Herrb for reporting this issue. Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter.
Comment 7 errata-xmlrpc 2011-04-11 16:13:58 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0433 https://rhn.redhat.com/errata/RHSA-2011-0433.html
Comment 8 errata-xmlrpc 2011-04-11 16:25:13 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0432 https://rhn.redhat.com/errata/RHSA-2011-0432.html
Comment 9 Tuomo Soini 2011-04-12 02:14:07 EDT
Source files for RHSA-2011-0433 are missing from ftp.redhat.com.
Comment 10 Tomas Hoger 2011-04-12 03:43:34 EDT
(In reply to comment #9)
> Source files for RHSA-2011-0433 are missing from ftp.redhat.com.

Corrected now.
Comment 11 Kevin W. Rudd 2011-04-12 16:28:54 EDT
It looks like the patch that was created for the RHEL6 build didn't
quite match the upstream changes.

Here is what the upstream patch section looked like:

@@ -449,8 +457,9 @@ AddDefQ(String *buff, char *title, char *value)
    else
 #endif
    if (value && (value[0] != '\0')) {
-       AddDef(buff, title, "\"");
-       addstring(buff, value);
+       AddSimpleDef(buff, title);
+       addstring(buff, "=\"");
+       addescapedstring(buff, value);
        addstring(buff, "\"");
    } else
        AddDef(buff, title, NULL);
        
This is what ended up in the new 7.4-15.el6.1 source RPM:

@@ -411,7 +413,7 @@ AddDefQ(String *buff, char *title, char
 #endif
     if (value && (value[0] != '\0')) {
        AddDef(buff, title, "\"");
-       addstring(buff, value);
+       addescapedstring(buff, value);
        addstring(buff, "\"");
     } else
        AddDef(buff, title, NULL);

This is causing a mismatched set of quotes for at least the VENDOR def:

-DVENDOR=_Red Hat, Inc.\"

And is causing xrdb to fail with the following errors:

sh: -c: line 0: unexpected EOF while looking for matching `"'
sh: -c: line 1: syntax error: unexpected end of file
Comment 12 Marco De la Cruz 2011-04-13 14:41:41 EDT
I had the same problem (xrdb fail, as explained in Comment 11) but under 5.6 (Tikanga) after upgrading from

xorg-x11-server-utils-7.1-4.fc6.i386

to

xorg-x11-server-utils-7.1-5.el5_6.1.i386
Comment 13 bugreports2005 2011-04-18 06:08:10 EDT
Confirming that xrdb appears broken in both RHEL5 and RHEL6, giving just the error message cited in Comment 11.
Comment 14 Tomas Hoger 2011-04-18 06:18:50 EDT
Following bugs were created to track fixing of that regression: bug #696310, bug #696316 and bug #696317.

Note You need to log in before you can comment on or make changes to this bug.